(CNN)At least eight alt-right website domain names were registered to Columbus Nova, the company that paid hundreds of thousands of dollars to President Donald Trump's personal attorney Michael Cohen, according to internet records reviewed by CNN.

The domains, which include alternate-right.com, alt-rights.com and alternate-rt.com, were created in August 2016 during the presidential campaign season. That same month, CNN and other news outlets reported on the rising profile of the alt-right movement and its white nationalist connections.

Records show an employee, Frederick Intrater, whose brother Andrew Intrater is the CEO of Columbus Nova, used his company email address to register the web domains, and listed Columbus Nova as the registrant organization, along with the company's address.

Public documents show that Columbus Nova is the US face of the Russian investment company Renova Group, which is chaired by oligarch Viktor Vekselberg, who is the cousin of Andrew and Frederick Intrater.

Michael Avenatti, a lawyer for the adult film actress Stormy Daniels, circulated a document on Tuesday that purported to show that Columbus Nova gave $500,000 to Cohen in the first half of 2017.

Avenatti’s disclosures Tuesday about the money purportedly given to Cohen’s shell company, Essential Consultants, by Columbus Nova and other corporations, including some with business before the Trump administration, delivered a jolt to a news cycle as questions continue to swirl about whether the work that Cohen did on behalf of Trump complied with federal and state laws.

The unexpected federal raid of the his offices last month has raised the specter of a potential criminal charges for Cohen, who The Washington Post reported is under federal investigation for possible bank fraud, wire fraud and campaign finance violation shortly thereafter. Avenatti’s document appeared to herald the potential that two explosive story lines could converge: the Russia investigation and the $130,000 payout to Daniels, with Cohen at the center.

Avenatti claimed that Vekselberg may have provided funds that “replenished the account” following Cohen’s payments to Daniels. Vekselberg has denied through a spokesman that he or the company he founded, Renova Group, have had any “contractual relationship” with Cohen.

"As it turns out, Michael Cohen may have a point with his comparison to a lawyer-fixer who has a family ties to criminals, starting with his uncle Dr. Morton Levine who during the 1970s-80s owned the Brooklyn club El Caribe which was reportedly the headquarters for the Russian mob.

'TPM first reported last year that Cohen was actually a childhood friend of Felix Sater, whose father was himself a reputed capo in the Mogilevich organized crime syndicate, said to be Russia’s largest and most dangerous. Filling out this picture of how Cohen fell into this milieu we’ve always been focused on the fact that Cohen’s uncle, Morton Levine, owned and ran a Brooklyn social club, El Caribe, which was a well-known meeting spot for members of Italian and Russian organized crime families in the 1970s and 1980s.

According to published reports, in the 70s and early 80s, the boss of the Russian mob in New York (and for practical purposes the whole U.S) was a man named Evsei Agron. Things ended badly for Agron when was gunned down in a mob hit in 1985. After Agron was assassinated, his organization was taken over by under-boss Marat Balagula. Authorities believed Balagula was behind Agron’s killing. But he was never charged with the crime. Balagula ran things until 1991 when he was convicted of gasoline bootlegging.'

Both Agron and his successor Balagula ran their operations out of an office in the El Caribe social club. So the El Caribe wasn’t just a mob hangout. From the 70s through the 90s at least, the bosses of the Russian mafia in the U.S. literally ran their crime organization out of the El Caribe.

According to Levin, who is still alive, several of his nieces and nephews including Cohen have a stake in ownership of the club — that is until recently when Cohen gave up his stake just before Trump entered the White House.

That was probably wise.

Other reports about Cohen’s history are also fairly illuminating. Cohen’s father was a surgeon — like Morton Levin who is a medical doctor — and he grew up in a Jewish enclave of Five Towns in Long Island, New York. He attended the private Lawrence Woodmere Academy and American University. He studied law at Thomas M. Cooley School of Law in Michigan which InsideHigherEd.com once described as, “ known for admitting students other law schools would not touch.”

His started working in law in 1992 for the ambulance chaser firm of personal injury attorney Melvyn Estrin who had an office on lower Broadway in Manhattan and was eventually charged to insurance fraud.

Estrin was the first in a series of colleagues who would run afoul of authorities. Within three years of Cohen’s arrival, Estrin was charged with bribing insurance adjusters to inflate damage estimates and expedite claims. He later pleaded guilty, though Cohen was never implicated in any of the misdeeds. Estrin did not respond to a request for comment. He is still practicing law.

Cohen continued to use Estrin’s address on legal filings as late as 1999, but he added several new addresses during this period, including 22-05 43rd Ave., in Long Island City, Queens — the taxi garage. It was the headquarters of the New York branch of the empire of Simon Garber, a Soviet emigre who also has had cab companies in Chicago and Moscow. Charismatic and silver-haired, Garber released kitschy TV-style advertisements, in Russian, for his company.

Over the years, Garber has been convicted of assault in New York, arrested for battery in Miami and pleaded guilty in New Jersey to charges of criminal mischief involving him breaking into three neighbors’ homes, shattering glass doors, smearing blood all over and taking a shower. In Chicago, his taxi fleet included wrecked vehicles with illegally laundered titles.

Cohen’s Russian links go far beyond just Garber and his lifelong friend Felix Sater — it also includes his wife who was born in Soviet Ukraine.

In 1994 Cohen married Laura Shusterman, who was born in the Soviet Union. Her father, also a taxi entrepreneur, pleaded guilty to a felony, conspiracy to defraud the IRS, the year before.

By the late 1990s, records show, Cohen had begun acquiring taxi medallions, licenses required by the City of New York to operate a yellow cab. The number of medallions has been strictly controlled for decades. Before the advent of services like Uber, they were particularly valuable, with their price peaking at over $1 million in 2014.

Cohen co-owned some of the medallions with his wife, and indeed, his family and business relationships sometimes overlapped. Filings show his father-in-law once made a loan to Garber. And in 2001, Cohen borrowed money for one of his taxi companies, Golden Child Cab Corp., from one of the men convicted with Cohen’s father-in-law, Fima Shusterman, in the fraud against the IRS.

Continuing in some of the work he started with Melvyn Estrin in 2000, Cohen was involved a series of car insurance lawsuits representing plaintiffs who claimed to have been involved in accidents. However it appears that some of the accidents were staged and frequently involved Russian immigrants bringing suspicion that it might have been a scam concocted by the Russian mob.

At this time, a wave of staged auto accidents, involving immigrants from the former Soviet Union who claimed to have been hurt, had led prosecutors to open a massive investigation. They dubbed it Operation Boris, an acronym for Big Organized Russian Insurance Scam. The prosecutorial push resulted in hundreds of convictions.

And then you have allegations of medical fraud after Cohen drew up articles of incorporation for several medical supply companies such as Avex Medical Care PRC who sued insurance companies over 300 times. The plaintiff lawyer in almost all these cases was David Katz who was eventually disbarred for misconduct.

Dr. Zhanna Kanevsky, the principal of Life Quality Medical, a clinic business that Cohen incorporated in 2002, surrendered her medical license after pleading guilty to writing phony prescriptions for 100,000 oxycodone and other pills.

Once again, Cohen was never charged.

Cohen’s father-in-law Fima Shusterman as it turns out is the man who actually introduced Cohen to Donald Trump as he began transferring the wealth he accumulated through his Taxi Medallions into real estate ultimately purchasing properties in Trump Palace, Trump Park Ave, and Trump World Center while still operating his law office from inside the Queens taxi garage. Cohen soon began working for Trump as his “fixer” and deal maker along with his childhood friend Felix Sater.

Sater is admittedly a fairly interesting character himself. As noted above his father had been a capo in the Mogilevic crime family he’s done time for stabbing a man with stem of a Margarita glass back in the early 90’s. In the late 90’s Sater was linked and charged in a $40 Million stock fraud case that was being run by the Russian and Italian mobs. Sater was ultimately let off with a minor $35,000 fine after he agreed to become an informant against the mob for the FBI. One of the FBI agents involved in his case who had reportedly helped escort Sater back to the U.S. from Russia was Gary Uhr, who has since become a bodyguard for Donald Trump.

Another of Trump’s bodyguard’s was Keith Schiller who had been a former NYPD detective and was the person who tried to deliver the firing letter to James Comey at his office in DC while he was actually in Los Angeles, and who was personally mentioned both by Stormy Daniels and Karen McDougal as being present before and after their tryst with Trump. Schiller actually drove McDougal home after their initial sexual encounter while she was crying in shame in the back seat because Trump had offered her money. Schiller now provides security to the RNC and for questionable reasons Trump’s 2020 election campaign has provided $66,000 for his legal defense.

And Schiller isn’t Trump’s only link to the NYPD.

Trump supporters among the NYPD showed up at the president’s victory party at the Hilton in New York City, on election night, some in full dress uniform. The NYPD sex crimes chief donated thousands of dollars to the Trump campaign.

Sater became managing Director for Bayrock LLC real estate company in 2003, which was located on the 24th floor of Trump Tower and began doing Trump branded projects that year including Trump Tower in Phoenix, Trump International in Fort Lauterdale, Trump Camelback in Phoenix and Trump Soho in New York. Starting in 2005 they began fielding projects for Trump Tower Moscow.

In addition to Trump’s link to the New York FBI via Sater and Uhr, Trump also donated a $1 million dollars to a charity operated by the then NY FBI Chief James Kallstrom-while running for the GOP nomination, a charity that gave money to veterans and the families of fallen federal law enforcement agents.

Kallstrom more recently has advocated for Trump in other matters, includingclaiming that he talked to both former and current FBI agents who were “P.O.’d” about Comey’s decision not to pursue charges against Hillary Clinton.

Kallstrom’s name as it turns out came up in the text messages between FBI agent Peter Strzok and Lisa Page as they discussed the anti-Comey anti-Clinton leaks that were dripping out of the New York FBI Field Office in the weeks leading up to his sending his letter to Jason Chaffetz about the Weiner/Abedin emails.

Kallstrom is the former head of the New York FBI office, installed in that post in the ’90s by then-FBI director Louis Freeh, one of Rudy Giuliani’s longtime friends. Kallstrom has, like Giuliani, been on an anti-Comey romp for months, most often on Fox, where he’s called the Clintons a “crime family.” He has been invoking unnamed FBI agents who contact him to complain about Comey’s exoneration of Clinton in one interview after another, positioning himself as an apolitical champion of FBI values.

And speaking of former New York Mayor Rudy Giuliani, he claimed he was so tight with the New York FBI that he boasted about his advance knowledge of that impending development in several cryptic announcements about the October surprise. Giuliani’s ties to the New York FBI go back to his days as New York U.S. Attorney for the Southern District of New York.

On October 25, 26 and 28, 2016, Giuliani, then a prominent media spokesman for Trump, announced on various programs, including Fox News, that he expected “surprises” from Trump, coming from the FBI. He also bragged that he had gotten that information from "a few active agents, who obviously don't want to identity themselves" about the Weiner/Clinton email investigation.

Cohen and Sater both worked together on another attempt at Trump Tower Moscow during the Presidential Campaign in late 2015 having several meetings with Trump himself where he ultimately signed a letter of intent on the project.

Felix Sater emailed Michael Cohen about the new Trump Tower Moscow project saying “I will get Putin on this program and we will get Donald elected... I know how to play it and how to get this done. Buddy, our boy can become president of the USA and we can engineer it... I will get all of Putin’s team to buy in on this, I will manage this process.” Cohen later emailed the Kremlin trying to get the project going but they ignore him most likely because the bank the Sater had arranged to finance the project was sanctioned as a result of the illegal annexation of Crimea.

Sater and Cohen also worked together on a “peace plan” for Ukraine and Russia which ultimately resulted in having “treason” charges logged at their Ukrainian contact Adrill Artemenko.

The amateur diplomats say their goal is simply to help settle a grueling, three-year conflict that has cost 10,000 lives. “Who doesn’t want to help bring about peace?” Mr. Cohen asked.

But the proposal contains more than just a peace plan. Andrii V. Artemenko, the Ukrainian lawmaker, who sees himself as a Trump-style leader of a future Ukraine, claims to have evidence — “names of companies, wire transfers” — showing corruption by the Ukrainian president, Petro O. Poroshenko, that could help oust him. And Mr. Artemenko said he had received encouragement for his plans from top aides to Mr. Putin.

“A lot of people will call me a Russian agent, a U.S. agent, a C.I.A. agent,” Mr. Artemenko said. “But how can you find a good solution between our countries if we do not talk?”

Artemenko told a Ukrainian News outlet that he’s known Michael Cohen for some time since Cohen has an ethanol business in Ukriane, which is also where Cohen’s wife was born, and that his meeting with Cohen and Sater on Feb 6 wasn’t their first. According to Artemenko, he discussed the “peace-plan” with Cohen and Sater “at the time of the primaries, when no one believed that Trump would even be nominated.”

Of course if this proposal had gone through it would have resulted in the lifting of sanctions with Russia which would in turn allow for projects like Trump Tower Moscow to be finally implemented.

Also there is the mysterious trip to Prague that Cohen has been denying he took for nearly a year, but apparently Robert Mueller has proof that he did go. Although what he did while there has not yet been confirmed though the Steele dossier alleges he was fairly busy.

It suggests that Cohen took over management of the relationship with Russia after campaign chairman Paul Manafort was fired from the campaign in August 2016 following of questions about his relationship with a Russia-backed political party in Ukraine, as well as claims that he orchestrated changes to the Republican National Committee's platform regarding the two countries. Manafort has since been charged with multiple felony counts including witness tampering and faces the possibility of having his bail revoked and being jailed while awaiting trial, though his team of lawyers have so far been able to delay such an outcome that would have been routine for less wealthy and connected defendants.

Cohen is said to have met secretly with people in Prague — possibly at the Russian Center for Science and Culture — in the last week of August or the first of September. He allegedly met with representatives of the Russian government, possibly including officials of the Presidential Administration Legal Department; Oleg Solodukhin (who works with the Russian Center for Science and Culture); or Konstantin Kosachev, head of the foreign relations committee in the upper house of parliament. A planned meeting in Moscow, the dossier alleges, was considered too risky, given that a topic of conversation was how to divert attention from Manafort’s links to Russia and a trip to Moscow by Carter Page in July. Another topic of conversation, according to the dossier: allegedly paying off “Romanian hackers” who had been targeting the Clinton campaign.

It is also alleged that Michael Cohen has been lying about traveling to Prague because he was involved in negotiations to pay off someone so they could get out of town before the authorities caught up with them.

Coincidentally it turns out that Russian hacker Yevgenly Nikulin was indeed arrested in Prague not long after Cohen’s trip — so maybe he had good reason to cheese it and scram."

On a late July day in 2016, Donald Trump, the GOP nominee for president, stood at a lectern in Florida, next to an American flag, and urged a U.S. adversary to become involved in the election campaign and find tens of thousands of emails wiped from the server of his Democratic opponent, Hillary Clinton.

“Russia, if you’re listening,” he said at a news conference at one of his resorts, “I hope you’re able to find the 30,000 emails that are missing.”

That same day, July 27, several Russian government hackers launched an attack against the email accounts of staffers in Clinton’s personal office, according to a sweeping indictment Friday by special counsel Robert S. Mueller III. At or around the same time, the hackers also targeted 76 email addresses used by the Clinton campaign, investigators said.

Although the broad outlines of the hacking and influence campaign have been widely reported, the indictment describes for the first time the identities, techniques and tactics of the operation to disrupt American democracy.

It includes details on how the Russians, using an encrypted file with instructions, delivered their trove of hacked emails to WikiLeaks, the online anti-secrecy organization led by Julian Assange that became the main platform for the Russians to display their trove of hacked emails.

The indictment also reflects an aggressive but somewhat inartful operation in which hackers used the same computer servers to launder money by using the online currency bitcoin as they did to lure their victims and to register sites they used for hacking.

The hackers worked for the spy agency called the Main Intelligence Directorate of the General Staff, or GRU, the indictment said.

They also allegedly targeted a state election board, identified by U.S. officials as Illinois. The Russians stole information about 500,000 voters, including names, addresses, partial Social Security numbers, dates of birth and driver’s license numbers, according to the indictment.

********************************************************************

COUNT ONE

Conspiracy to Commit an Offense Against the United States (by a foreign power)

1. In or around 2016, the Russian Federation operated a military intelligence agency called the Main Intelligence Directorate of the General Staff The GRU had multiple units, including Units 26165 and 74455, engaged in cyber operations that involved the staged releases of documents stolen through computer intrusions. These units conducted large-scale cyber operations to interfere with the 2016 US. presidential election.

2. Defendants VIKT OR BORISOVICH BORIS ALEKSEYEVICH ANTONOV, DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV, ALEKSEY VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV, NIKOLAY YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEMANDREYEVICH ALEKSANDR VLADIMIROVICH OSADCHUK, and ALEKSEY ALEKSANDROVICH POTENIKIN were GRU officers who knowingly and intentionally conspired with each other, and with persons known and unknown to the Grand Jury (collectively the Conspirators), to gain unauthorized access (to hack) into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from these computers, and stage releases of the stolen documents to interfere with the 2016 U.S. presidential election.

3. Starting in at least March 2016, the Conspirators used a variety of means to hack the email accounts of Volunteers and employees of the U.S. presidential campaign of Hillary Clinton, including the email account of the Clinton Campaign?s chairman.

4. By in or around April 2016, the Conspirators also hacked into the computer networks of the Democratic Congressional Campaign Committee and the Democratic National Committee. The Conspirators covertly monitored the computers of dozens of DNC employees, implanted hundreds of files containing malicious computer code (malware), and stole emails and other documents from the and DNC.

5. By in or around April 2016, the Conspirators began to plan the release of materials stolenfrom the Clinton Campaign, and DNC.

6. Beginning in or around June 2016, the Conspirators staged and released tens of thousands of the stolen emails and documents. They did so using fictitious online personas, including DCLeaks and Guccifer

7. The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an organization (?Organization that had previously posted documents stolen from U.S. persons, entities, and the U.S. government. The Conspirators continued their U.S. election-interference operations through in or around November 2016.

8. To hide their connections to Russia and the Russian government, the Conspirators used false identities and made false statements about their identities. To further avoid detection, the Conspirators used a network of computers located across the world, including in the United States, and paid for this infrastructure using

Defendants

9. Defendant VIKTOR BORISOVICH was the Russian military officer in command of Unit 26165, located at 20 Komsomolskiy Prospekt, Moscow, Russia. Unit 26165 had primary responsibility for hacking the and DNC, as well as the email accounts of individuals affiliated with the Clinton Campaign.

10. Defendant BORIS ALEKSEYEVICH ANTONOV was a Major in the Russian military assigned to Unit 26165. ANTONOV oversaw a department within Unit 26165 dedicated to targeting military, political, governmental, and non-governmental organizations with spearphishing emails and other computer intrusion activity. ANTONOV held the title Head of Department. In or around 2016, ANTONOV supervised other co-conspirators who targeted the DNC, and individuals affiliated with the Clinton Campaign.

11. Defendant DMITRIY SERGEYEVICH BADIN (Sauna Cepreennu) was a Russian military officer assigned to Unit 26165 who held the title Assistant Head of Department. In or around 2016, BADIN, along with AN TONOV, supervised other co-conspirators who targeted the DNC, and individuals affiliated with the Clinton Campaign.

I2. Defendant IVAN SERGEYEVICH YERMAKOV was a Russian military officer assigned to department within Unit 26165. Since in or around 2010, YERMAKOV used various online personas, including Kate S. Milton, James McMorgans, and Karen W. Millen, to conduct hacking operations on behalf of Unit 26165. In or around March 2016, YERMAKOV participated in hacking at least two email accounts fromwhich campaign-related documents were released through DCLeaks. In or around May 2016, YERMAKOV also participated in hacking the DNC email server and stealing DNC emails thatwere later released through Organization 1.

13. Defendant ALEKSEY VIKTOROVICH LUKASHEV was a Senior Lieutenant in the Russian military assigned to department within Unit 26165. LUKASHEV used various online personas, including Den Katenberg and Yuliana Martynova. In or around 2016, LUKASHEV sent spearphishing emails to members of the Clinton Campaign and affiliated individuals, including the chairman of the Clinton Campaign.

14. Defendant SERGEY ALEKSANDROVICH MORGACHEV was a Lieutenant Colonel in the Russian military assigned to Unit 26165. MORGACHEV oversaw a department within Unit 26165 dedicated to developing and managing malware, including a hacking tool used by the GRU known as ?X-Agent.? During the hacking of the DC CC and DNC networks, MORGACI-IEV supervised the co-conspirators who developed and monitored the X-Agent malware implanted on those computers.

15. Defendant NIKOLAY YURYEVICH KOZACHEK (Koaaqert was a Lieutenant Captain in the Russian military assigned to department within Unit 26165. KOZACHEK used a variety of monikers, including kazak and blablabla1234565. KOZACHEK developed, customized, and monitored X-Agent malware used to hack the and DNC networks beginning in or around April 2016.

16. Defendant PAVEL VYACHESLAVOVICH YERSHOV was a Russian military of?cer assigned to department within Unit 26165. In or around 2016, . YERSHOV assisted KOZACHEK and other co-conspirators in testing and customizing X-Agent malware before actual deployment and use.

17. Defendant ARTEM ANDREYEVICH MALYSHEV was a Second Lieutenant in the Russian military assigned to department within Unit 26165. MALYSHEV used a variety of monikers, including djangomagicdev and realblatr. In or around 2016, MALYSHEV monitored X-Agent malware implanted on the and DNC networks.

18. Defendant ALEKSANDR VLADIMJROVICH OSADCHUK was a Colonel in the Russian military and the commanding of?cer of Unit 7 445 5 . Unit 74455 was located at 22 Kirova Street, Khimki, Moscow, a building referred to within the GRU as the ?Tower.? Unit 74455 assisted in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU.

19. Defendant ALEKSEY ALEKSANDROVICH POTEMKJN was an officer in the Russian military assigned to Unit 7445 5. POTEMKIN was a supervisor in a department within Unit 7445 5 responsible for the administration of computer infrastructure used in cyber operations. Infrastructure and social media accounts administered by department were used, among other things, to assist in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas.

Object of the Conspiracy

20. The object of the conspiracy was to hack into the computers of U.S. persons and entitiesinvolved in the 2016 U.S. presidential election, steal documents from those computers, and stagereleases of the stolen documents to interfere with the 2016 U.S. presidential election.

Manner and Means of the Conspiracv

Spearphishing Operations

21. ANTONOV, BADIN, YERMAKOV, LUKASHEV, and their co-conspirators targetedvictims using a technique known as spearphishing to steal Victims? passwords or otherwise gainaccess to their computers. Beginning by at least March 2016, the Conspirators targeted over 300 individuals affliated with the Clinton Campaign, and DNC.

a. For example, on or about March 19, 2016, LUKASHEV and his co-conspirators created and sent a spearphishing email to the chairman of the Clinton Campaign. LUKASHEV used the account john356g at an online service that abbreviated website addresses (referred to as a URL-shortening service?).

LUKASHEV used the account to mask a link contained in the spearphishin email, which directed the recipient to a GRU created website. LUKASHEV altered the appearance of the sender email address in order to make it look like the email was a security noti?cation from Google (a technique known as spoofng), instructing the user to change his password by clicking the embedded link. Those instructions were followed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and their co-conspirators stole the contents of the chairman?s email account, which consisted of over 50,000 emails.

b. Starting on or about March 19, 2016, LUKASHEV and his co?conspirators sent spearphishing emails to the personal accounts of other individuals affliated with the Clinton Campaign, including its campaign manager and a senior foreign policy adviser.

On or about March 25, 2016, LUKASHEV used the same john356gh account to mask additional links included in spearphishing emails sent to numerous individuals af?liated with the Clinton Campaign, including Victims and 2.

LUKASHEV sent these emails from the Russia-based email account hi.mymail@yandex.com that he spoofed to appear to be from Google.

c. On or about March 28, 2016, YERMAKOV researched the names of Victims and 2 and their association with Clinton on various social media sites. Through their spearphishing operations, LUKASI-IEV, YERMAKOV, and their co-conspirators successfully stole email credentials and thousands of emails from numerous individuals affliated with the Clinton Campaign. Many of these stolen emails, including those from Victims and 2, were later released by the Conspirators through DCLeaks.

d. On or about April 6, 2016, the Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign. The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. In the spearphishing emails, LUKASHEV and his co-conspirators embedded a link purporting to direct the recipient to a document titled hillary. In fact, this link directed the recipients? computers to a GRU created website.

22. The Conspirators spearphished individuals affliated with the Clinton Campaign throughout the summer of 2016. For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third- party provider and used by Clinton?s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.

Hacking into the Network

23. Beginning in or around March 2016, the Conspirators, in addition to their spearphishing efforts, researched the and DNC computer networks to identify technical specifcations and vulnerabilities.

For example, beginning on or about March 15, 2016, YERMAKOV ran a technical query for the internet protocol configurations to identify connected devices. 011 or about the same day, YERMAKOV searched for open-source information about the DNC network, the Democratic Party, and Hillary Clinton.

On or about April 7, 2016, YERMAKOV ran a technical query for the internet protocol configurations to identify connected devices.

24. By in or around April 2016, Within days of searches regarding the the Conspirators hacked into the computer network. Once they gained access, they installed and managed different types of malware to explore the network and steal data.

a.

On or about April 12, 2016, the Conspirators used the stolen credentials of a Employee Employee to access the network. Employee 1 had received a spearphishing email from the Conspirators on or about April 6, 2016, and entered her password after clicking on the link.

Between in or around April 2016 and June 2016, the Conspirators installed multiple versions of their X-Agent malware on at least ten computers, which allowed them to monitor individual employees? computer activity, steal passwords, and maintain access to the network.

c. X-Agent malware implanted on the network transmitted information from the victims' computers to a GRU-leased server located in Arizona. The Conspirators referred to this server as their panel. KOZACHEK, MALYSHEV, and their co-conspirators logged into the AMS panel to use X Agent's keylog and screenshot functions in the course of monitoring and surveilling activity on the computers. The keylog function allowed the Conspirators to capture keystrokes entered by employees. The screenshot function allowed the Conspirators to take pictures of the employees' computer screens.

d. For example, on or about April 14, 2016, the Conspirators repeatedly activated X-Agent's keylog and screenshot functions to surveil Employee 1's computer activity over the course of eight hours. During that time, the Conspirators captured Employee 1?s communications with co-workers and the passwords she entered while working on fundraising and voter outreach projects. Similarly, on or about April 22, 2016, the Conspirators activated X-Agent?s keylog and screenshot functions to capture the discussions of another Employee Employee about the finances, as well as her individualbanking information and other personal topics.

25. On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely confgured an overseas computer to relay communications between X-Agent malware and the AMS panel and then tested X-Agent?s ability to connect to this computer. The Conspirators referred to this computer as a middle server. The middle server acted as a proxy to obscure the connection between malware at the and the Conspirators' AMS panel. On or about April 20, 2016, the Conspirators directed X-Agent malware on the computers to connect to this middle server and receive directions from the Conspirators.

Hacking into the DNC Network

26. On or about April 18, 2016, the Conspirators hacked into the computers through their access to the network. The Conspirators then installed and managed different types of malware (as they did in the network) to explore the DNC network and steal documents.

a. On or about April 18, 2016, the Conspirators activated X-Agent's keylog and screenshot functions to steal credentials of a employee who was authorized to access the DNC network. The Conspirators hacked into the DNC network from the network using stolen credentials. By in or around June 2016, they gained access to approximately thirty?three DNC computers.

b. In or around April 2016, the Conspirators installed X-Agent malware on the DNC network, including the same versions installed on the network. MALYSHEV and his co-conspirators monitored the X-Agent malware from the AMS panel and captured data from the victim computers. The AMS panel collected thousands of keylo and screenshot results from the and DNC computers, such as a screenshot and keystroke capture of Employee 2 viewing the online banking information.

Theft of and DNC Documents

27. The Conspirators searched for and identi?ed computers within the and DNC networks that stored information related to the 2016 US. presidential election. For example, on or about April 15, 2016, the Conspirators searched one hacked computer for terms that included hillary, cruz, and trump. The Conspirators also copied select folders, including ?Benghazi Investigations.? The Conspirators targeted computers containing information such as opposition research and ?eld operation plans for the 2016 elections.

28. To enable them to steal a large number of documents at once without detection, the Conspirators used a publicly available tool to gather and compress multiple documents on the and DNC networks. The Conspirators then used other GRU malware, known as X-Tunnel, to move the stolen documents outside the and DNC networks through channels.

a. For example, on or about April 22, 2016, the Conspirators compressed gigabytes of data from DNC computers, including opposition research. The Conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois.

b. On or about April 28, 2016, the Conspirators connected to and tested the same computer located in Illinois. Later that day, the Conspirators used X?Tunnel to connect to that computer to steal additional documents from the network.

29. Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

30. On or about May 30, 2016, 1V1ALYSHEV accessed the AMS panel in order to upgrade custom AMS software on the server. That day, the AMS panel received updates from approximately thirteen different X-Agent malware implants on and DNC computers.

31. During the hacking of the and DNC networks, the Conspirators covered their tracks by intentionally deleting logs and computer ?les. For example, on or about May 13, 2016, the

Conspirators cleared the event logs from a DNC computer. On or about June 20, 2016, the 11 Conspirators deleted logs from the AMS panel that documented their activities on the panel, including the login history.

Efforts to Remain on the and DNC Networks

32. Despite the Conspirators? efforts to hide their activity, beginning in or around May 2016, both the and DNC became aware that they had been hacked and hired a security company to identify the extent of the intrusions. By in or around June 2016, Company 1 took steps to exclude intruders from the networks. Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU registered domain remained on the DNC network until in or around October 2016.

33. In response to Company 1?s efforts, the Conspirators took countermeasures to maintain access to the and DNC networks.

a. On or about May 31, 2016, YERMAKOV searched for open~source information about Company 1 and its reporting on X-Agent and X-Tunnel. On or about June 1, 2016, the Conspirators attempted to delete traces of their presence on the network using the computer program CCleaner.

On or about June 14, 2016, the Conspirators registered the domain actblues.com, which mimicked the domain of a political fundraising platform that included a donations page. Shortly thereafter, the Conspirators used stolen credentials to modify the website and redirect Visitors to the actbluescom domain.

On or about June 20, 2016, after Company 1 had disabled X-Agent on the network, the Conspirators spent over seven hours unsuccessfully trying to connect to X-Agent. The Conspirators also tried to access the network using previously stolen credentials.

34. In or around September 2016, the Conspirators also successfully gained access to DNCcomputers hosted on a third-party cloud-computing service. These computers contained testapplications related to the analytics. After conducting reconnaissance, the Conspiratorsgathered data by creating backups, or ?snapshots,? of the cloud-based systems using thecloud provider?s own technology. The Conspirators then moved the snapshots to cloud-basedaccounts they had registered with the same service, thereby stealing the data from the DNC.

Stolen Documents Released through DCLeaks

35. More than a month before the release of any documents, the Conspirators constructed theonline persona DCLeaks to release and publicize stolen election-related documents. On or aboutApril 19, 2016, after attempting to register the domain electionleaks.com, the Conspiratorsregistered the domain dcleaks.com through a service that anonymized the registrant. The fundsused to pay for the dcleaks.com domain originated from an account at an online service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account dirbinsaabol@mai1.com. The dirbinsaabol email account was also used to'register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.

36. On or about June 8, 2016, the Conspirators launched the public website dcleaks.com, whichthey used to release stolen emails. Before it shut down in or around March 2017, the site receivedover one million page Views. The Conspirators falsely claimed on the site that DCLeaks wasstarted by a group of ?American hacktivists,? when in fact it was started by the Conspirators.

37. Starting in or around June 2016 and continuing through the 2016 US. presidential election,the Conspirators used DCLeaks to release emails stolen from individuals affiliated with the ClintonCampaign. The Conspirators also released documents they had stolen in other spearphishing operations, including those they had conducted in 2015 that collected emails from individuals affliated with the Republican Party.

38. On or about June 8, 2016, and at approximately the same time that the dcleaks.com websitewas launched, the Conspirators created a DCLeaks Facebook page using a preexisting social mediaaccount under the fictitious name Alice Donovan. In addition to the DCLeaks acebook page,the Conspirators used other social media accounts in the names of fictitious U.S. persons such asJason Scott and Richard Gingrey to promote the DCLeaks website. The Conspirators accessedthese accounts from computers managed by POTEMKIN and his co-conspirators.

39. On or about June 8, 2016, the Conspirators created the Twitter account @dcleaksw. TheConspirators operated the @dcleaks_ Twitter account from the same computer used for other efforts to interfere with the 2016 U.S. presidential election. For example, the Conspirators used the same computer to operate the Twitter account @BaltimoreIsWhr, through which they encouraged U.S. audiences to join our flash mob opposing Clinton and to post images with the hashtag #BlacksAgainstHillary.

Stolen Documents Released through Guccifer 2.0

40. On or about June 14, 2016, the DNC - through Company l - publicly announced that ithad been hacked by Russian government actors. In response, the Conspirators created the onlinepersona Guccifer 2.0 and falsely claimed to be a lone Romanian hacker to undermine the allegations of Russian responsibility for the intrusion.

41. On or about June 15, 2016, the Conspirators logged into a Moscow-based server used and managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched for certain words and phrases, including:

some hundred sheets

some hundreds of sheets

dcleaks

illuminati

mnpono useec'rnm nepeaon[widely known translation]

worldwide known

think twice about

company's competence

42. Later that day, at 7:02 PM Moscow Standard Time, the online persona Guccifer 2.0 published its FIrst post on a blog site created through WordPress.